Hi -
I'm not very clueful how racoon is really supposed to work, but
in consideration of the fact that it worked afterwards while
it didn't before, I'm thinking I am on the right track...
After I've added an spd entry which lets ICMP pass through, key
negotiation stopped working.
The relevant entries are (first two lines are new):
spdadd 0.0.0.0/0 134.94.206.11 icmp -P out none;
spdadd 134.94.206.11 0.0.0.0/0 icmp -P in none;
spdadd 0.0.0.0/0 134.94.206.11 any -P out ipsec esp/tunnel/134.94.206.1-134.94.
206.11/require;
spdadd 134.94.206.11 0.0.0.0/0 any -P in ipsec esp/tunnel/134.94.206.11-134.94.
206.1/require;
[... more lines for more tunnel partners ...]
spdadd 0.0.0.0/0 134.94.206.0/24 any -P out discard;
spdadd 134.94.206.0/24 0.0.0.0/0 any -P in discard;
The error message in syslog was:
INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation:
134.94.206.1[0]<=>134.94
.206.11[0]
ERROR: isakmp_quick.c:2064:get_proposal_r(): policy found, but no IPsec
required: 0.0.0.0/0[0] 134
.94.206.11/32[0] proto=any dir=out
ERROR: isakmp_quick.c:1071:quick_r1recv(): failed to get proposal for
responder.
ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet.
It obviously hit the ICMP rule.
As a proof of the theory, I applied a small patch to racoon:
*** isakmp_quick.c.~1.4.~ Tue May 21 17:21:28 2002
--- isakmp_quick.c Mon Jul 1 20:05:04 2002
***************
*** 2011,2017 ****
--- 2011,2022 ----
spidx.ul_proto = IPSEC_ULPROTO_ANY;
/* get inbound policy */
+ {
+ int sav = spidx.ul_proto;
+ spidx.ul_proto = IPPROTO_UDP;
sp_in = getsp_r(&spidx);
+ spidx.ul_proto = sav;
+ }
if (sp_in == NULL) {
if (iph2->ph1->rmconf->gen_policy) {
plog(LLV_INFO, LOCATION, NULL,
And key negotiation worked again.
There is still a warning in the log:
NOTIFY: proposal.c:1016:set_proposal_from_policy(): There is a difference
between the in/out bound
policies in SPD.
but this is obviously due to the fact that my patch is far from being a real
fix,
it corrects one side only (and this not even correctly...).
best regards
Matthias